CVE-2021-21558 – CVE-2021-21558 is an information disclosure vul... (How to Fix)

Q: What is the severity of CVE-2021-21558?

CVE-2021-21558 has a CVSS score of 8.2 (HIGH). CVE-2021-21558 is an information disclosure vulnerability in Dell EMC NetWorker backup software where local administrators can read LDAP credentials from local logs. This allows attackers with local admin access to potentially steal domain credentials and make unauthorized changes to the network domain. Affected systems include Dell EMC NetWorker versions 18.x through 19.4.0.1.

📋 TL;DR

CVE-2021-21558 is an information disclosure vulnerability in Dell EMC NetWorker backup software where local administrators can read LDAP credentials from local logs. This allows attackers with local admin access to potentially steal domain credentials and make unauthorized changes to the network domain. Affected systems include Dell EMC NetWorker versions 18.x through 19.4.0.1.

💻 Affected Systems

Products:

Dell EMC NetWorker

Versions: 18.x, 19.1.x, 19.2.x, 19.3.x, 19.4, 19.4.0.1

Operating Systems: All supported OS for NetWorker

Default Config Vulnerable: ⚠️ Yes

Notes: Requires local administrator access to the gstd system within NetWorker. LDAP integration must be configured.

📦 What is this software?

Emc Networker by Dell

View all CVEs affecting Emc Networker →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers gain domain administrator privileges, compromise the entire Active Directory domain, exfiltrate sensitive data, and deploy ransomware across the network.

🟠

Likely Case

Local administrators escalate privileges to domain level, access sensitive systems, and potentially modify backup configurations to disrupt recovery capabilities.

🟢

If Mitigated

Limited to credential theft from logs without successful domain compromise due to strong access controls and monitoring.

🌐 Internet-Facing: LOW - This vulnerability requires local administrator access to the NetWorker system, not directly exploitable from the internet.

🏢 Internal Only: HIGH - Internal attackers with local admin privileges can exploit this to gain domain-level access and compromise the entire network.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires existing local administrator access. Attack involves reading credentials from log files, which is straightforward for privileged users.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Update to NetWorker 19.4.0.2 or later

Vendor Advisory: https://www.dell.com/support/kbdoc/en-us/000186638/dsa-2021-104-dell-emc-networker-security-update-for-multiple-vulnerabilities

Restart Required: Yes

Instructions:

1. Download the latest NetWorker update from Dell support portal. 2. Backup current configuration. 3. Apply the patch following Dell's installation guide. 4. Restart NetWorker services. 5. Verify LDAP credentials are no longer logged in plaintext.

🔧 Temporary Workarounds

Restrict log file permissions

linux

Set strict permissions on NetWorker log files to prevent unauthorized reading

chmod 600 /path/to/networker/logs/*.log
chown root:root /path/to/networker/logs/*.log

Implement log monitoring and alerting

all

Monitor access to NetWorker log files and alert on suspicious activity

🧯 If You Can't Patch

Implement strict access controls to limit local administrator privileges on NetWorker systems
Enable comprehensive auditing and monitoring of NetWorker log file access and LDAP credential usage

🔍 How to Verify

Check if Vulnerable:

Check NetWorker version via 'nsr_render_log' command or administration console. If version is 18.x through 19.4.0.1, system is vulnerable.

Check Version:

nsr_render_log -V

Verify Fix Applied:

After patching, verify version is 19.4.0.2 or later. Check that LDAP credentials are no longer visible in log files.

📡 Detection & Monitoring

Log Indicators:

Unauthorized access to NetWorker log files
LDAP authentication attempts from unusual locations
Changes to domain configuration from NetWorker system

Network Indicators:

LDAP queries from NetWorker systems to unusual domain controllers
Unexplained domain policy changes

SIEM Query:

source="NetWorker" AND (event="log_access" OR event="ldap_auth") AND user="administrator"

📊 Metadata

CVE ID: CVE-2021-21558

CVSS v3 Score: 8.2 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

CWE: CWE-532

Published: June 8, 2021

Last Updated: November 21, 2024

🔗 References

https://www.dell.com/support/kbdoc/en-us/000186638/dsa-2021-104-dell-emc-networker-security-update-for-multiple-vulnerabilities Patch,Vendor Advisory
https://www.dell.com/support/kbdoc/en-us/000186638/dsa-2021-104-dell-emc-networker-security-update-for-multiple-vulnerabilities Patch,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-21558, you might also want to check these: